January 13, 2003 Jonathan G. Katz, Secretary RE: File No. S7-49-02 Dear Mr. Katz: The Institute of Internal Auditors (IIA) is very interested in and supportive of the Securities and Exchange Commission's (SEC) efforts to improve corporate governance by enhancing the independence of external auditors. The IIA and our 82,000 members believe that good governance and accurate financial reporting emanate from the coordinated interaction of the board/audit committee, management, internal auditors, and external auditors. We believe we are uniquely qualified to offer comments about the impact of certain provisions of the proposed rule regarding the independence of the external auditor, particularly in those areas where there is an internal auditing relationship. Accordingly, in offering our comments on the rules proposed to implement Section 208(a) of the Sarbanes-Oxley Act of 2002, we have focused the majority of our response in areas that are dependent upon understanding the definition of internal auditing and scope of activities performed by internal auditors. Summary of IIA Positions on Auditor Independence The IIA believes that preserving the independence of the external auditor is critical to restoring investor confidence and that actions being promulgated by this rule need to provide clear and unambiguous guidance. From the vantage point of The IIA, the most essential outcome of this rule should be a clear definition of internal auditing and its role in the comprehensive system of checks and balances that are essential for an effective governance process. The questions about the extent to which external auditors can perform internal (operational) audits and other non-audit services must be clarified and can best be addressed through rules that clearly define the distinct roles for directors, executive management, public accountants, and internal auditors. We believe that the following are among the critical considerations that need to be addressed:
In response to the issues and questions posed in Section II, Subsection B.5, The IIA recommends that the SEC:
We further recommend that this rulemaking should recognize the Committee of Sponsoring Organizations of the Treadway Commission (COSO) definition of Internal Control to foster understanding of the differences between internal auditing and internal control. [Question 5 of Section II, Subsection B.5]. Finally, we agree with the principles in the paragraph in Section II, Subsection B.5 that external auditors should not audit their own work, perform management functions, or act as an advocate for their clients. * * * The following parts of this letter present The IIA's views and recommendations about questions and issues discussed in the SEC release. We have arranged our comments in the order that the issues and questions are presented in the proposal. Conflicts of Interest Resulting from Employment Relationships [Section II, Subsection A] The Sarbanes-Oxley Act restricts external auditors from assuming certain employment positions within client organizations. We believe that the SEC rules should be amended to include the position of chief internal audit executive among the list of positions specifically proscribed for a one-year period preceding the date of the initiation of an audit. Presumably the chief internal auditor would fall in the category of "person serving in an equivalent position," but given the significance of the chief audit executive within an organization, relationship with the audit committee, and extent of coordination with the external auditor, we believe this position should be added to and explicitly mentioned in the SEC rules. The SEC exposure draft questions if a one-year cooling off period is sufficient before audit engagement team members assume certain employment positions, as defined by the SEC, with client organizations. However, one year may not be sufficient in some circumstances. The relationship between auditor and client may be affected by the tenure of the engagement team members with the external audit firm, length of service to the audit client, the significance of the position in the firm (i.e. partner) or the potential compensation package offered by the client organization. Therefore, we recommend that in addition to a one-year cooling off period, that the audit committee be charged with reviewing the potential employment of someone from the accounting firm to determine if any of the above factors might suggest that a longer period is necessary to assure a cooling of the former relationship. To emphasize the point, we note that the New York Stock Exchange has proposed a five-year cooling off period for independent directors if they are former company employees or employees of the company's independent auditors. Perhaps of equal significance to considerations about client employment of external auditors is the number of external auditors hired from the same firm. An organization that hires several external auditors from the same public accounting firm, especially from the client engagement team and same local office, into key management positions may need to be more concerned about possible independence considerations. Another factor to consider is the time period during which the hiring is conducted. Hiring a large number of external auditors from the same local office over a relatively short time span could increase the risk of impairments to independence. Services Outside the Scope of the Practice of Auditors - Internal Audit Outsourcing [Section II, Subsection B.5] Question 1. Inserting Definition of Internal Auditing The exposure draft poses the question "Is the definition of the `internal audit function' sufficiently clear?" However, nowhere is "internal audit function" actually defined. We believe that the rule should include a clear definition of internal auditing. The IIA has promulgated the most authoritative and widely recognized definition of internal auditing and supports it through a comprehensive framework of standards (Standards for the Professional Practice of Internal Auditing) and guidance (Practice Advisories). The IIA's Professional Practices Framework, that includes the Standards for the Professional Practice of Internal Auditing and the Practice Advisories can be found on The IIA web site at www.theiia.org. The IIA defines internal auditing as follows:
This definition covers a broad scope of practice, and must be so to reflect the diverse practice of internal auditing in many organizations and on a worldwide basis. However, linking the definition with the Standards provides a sound basis upon which to understand the nature and activities of internal auditing. While The IIA's definition of internal auditing is acknowledged as authoritative and widely accepted around the world, it's breadth is indicative of the fact that there is some work performed by the internal auditor and the external auditor that may be similar in nature, employ the same techniques and require audit of some of the same controls, processes or information. The differences between internal and external auditing are also to be found in the relationship with the organization and in the breadth of services. While both internal and external auditors employ similar systematic and disciplined examination processes, there are distinguishing characteristics. The external auditor or public accountant should always be external to the organization and independent of its management. The external auditor owes primary allegiance to public investors and owners. The primary skill or expertise held by the public accountant is the knowledge of prescribed accounting principles that permit financial statements to be relied on by investors and other stakeholders. Internal auditors monitor and evaluate the entire system of internal control for the company while maintaining independence from responsibility for management direction and control. However, a professional internal auditing function should be expected to be fully conversant with the goals, policies, and processes of the company including its culture. The primary skill of the internal auditor is the knowledge of the business and broad systems of internal control. The individual missions of the internal and external auditors converge at the audit committee of the board of directors and bring unique and necessary information to these directors. Both will bring information about the state of internal controls, and the work of each should be carefully coordinated to preclude overlap and omission. The American Institute of Certified Public Accountants and The IIA support the need for this collaborative effort. Our recommendation is that the SEC should adopt The IIA's definition of internal auditing, endorse The IIA's Standards for the Professional Practice of Internal Auditing (Standards) for those providing internal auditing services, and adopt the safest course of action which is for the SEC to draw a "bright line" requirement that prohibits the firm that performs the financial statement audit from conducting any internal audit services. No exceptions, no loopholes, no ambiguous terms, and no materiality considerations for "discrete" items. (See subsequent commentary regarding operational audits, audits of small businesses and individual projects). Question 2. Deleting Exceptions for Small Businesses The external auditor's independence is impaired if he or she conducts both the financial statement audit and internal auditing services, regardless of the size of the organization. Public companies have an obligation to investors and stakeholders to ensure that financial results are fairly reported and audited by an "independent" public accountant. This obligation holds true for both large and small businesses. If an organization is listed on a public exchange and accepts investor's money, then all listed companies should be required to conform to the same independence standards. Both small and large businesses should implement a proper system of checks and balances to ensure investors and other stakeholders that operations are conducted according to established policies and procedures. Every organization, regardless of size, should have some type of internal control system or process, and, as pointed out in COSO's Internal Control - Integrated Framework, a key component of control is monitoring. Monitoring in a small privately held company can be as basic as the owner reviewing activity in the checkbook. In a larger public company it can be as extensive as an independent, objective assurance and consulting activity, professionally staffed that evaluates risk management, control, and governance processes. A formal internal audit function tends to develop over time and grow with the organization. The structure of the internal auditing function may run from assigning someone part-time responsibilities for internal auditing, to reliance on procedures performed periodically by third party providers, to establishing a professionally staffed, in-house internal auditing group. Factors to be considered in determining the need for an internal audit function include stakeholders' expectations, risk tolerance levels, public or legal requirements, and the size and complexity of the organization and its operations. Size factors considered might include assets, revenue, expenses, liquidity and location of assets, number and locations of operating facilities, number of employees, and volume of activity. Governing bodies may simply need to ask themselves whether they have reliable assurance that financial and other information is correctly reported, whether controls and procedures are functioning as planned, and whether programs are meeting expectations. Audit committees in new industries or in industries undergoing change need to be especially alert to the need to establish and monitor control over risks. Some would say that internal auditing should be established at the time that an organization goes public. Certainly, any organization that takes shareholder money should have a governance structure comprising strong, independent audit committees supported by professional internal auditors engaged in the assessment of risks and controls. Question 3. Avoiding the Distinction that Performing Individual Audit Projects is Okay, But Not Outsourcing Services We do not see any difference in "outsourcing" or "individual audit projects." If the external auditor conducts the financial statement audit and performs internal auditing services, under either term, the effect is still the same - the external auditor is placed in the position of auditing his or her own work and/or performing management functions, and independence is impaired. You can create a different label for the service, but the substance is still the same. Another way of asking this question would be to say "can the external auditor outsource a `portion' of the internal audit function without impairing independence?" The answer is still the same - independence is impaired regardless of how much of the internal audit activity is performed by the external auditor. Since potential problems can surface in any area of an organization and can be found during any type of audit - financial, operational, compliance - situations that challenge independence can arise under any scenario. Major problems and potential conflicts of interest can arise in large and small businesses, financial and operational audits, all throughout an organization or in the smallest, most discrete segment of a business. For these reasons, independence safeguards should apply to all businesses, large and small alike, to every type of audit, and from total outsourcing of the entire internal audit function to performance of the smallest internal audit project. Question 4. Advising Against Any Safeguards That Would Protect Independence in Outsourcing Situations We are not aware of any safeguards that could be established by the auditor that would prevent independence from being impaired without creating a conflict of interest for the auditor. The auditor being responsible for establishing safeguards to ensure his or her own independence places the auditor in a potential position of having to "blow the whistle" on themselves. This has already proven not to be the best scenario. We believe that the same firm that provides the financial statement audit should be prohibited from providing any internal auditing services and that the SEC should not attempt to develop rules that would permit such services. Questions 5 and 6. Deleting Exceptions for Operational Internal Audits The exposure draft indicates that the independence rule "...does not include operational internal audits unrelated to the internal accounting controls, financial systems, or financial statements." While the term "operational internal audits" is used quite frequently there is no common definition of what this means. Also, it is wrong to assume that operational internal audits are unrelated to internal accounting controls, financial systems, or financial statements. It is difficult to envision any "operational internal audits" that are actually unrelated to the internal accounting controls, financial systems, or financial statements. All activities in every organization ultimately have an impact on the financial statements, are measured by the financial system in terms of revenue and expenses, and are affected by internal accounting controls - budgets, expense reports, journal entries for transactions, authorization and approval of activities. The trend toward integrated operational and financial systems blurs the differentiation made here. Rather than provide an exception for "...operational internal audits unrelated to the internal accounting controls, financial systems, or financial statements", which would seem impossible to define, we suggest deleting reference to this point. Additionally, it may prove extremely difficult to define and subsequently enforce rules that would allow "nonrecurring evaluations of discrete items or programs that are not in substance the outsourcing of the internal audit function." What is "discrete" is left open to interpretation and will certainly vary by organization. Similarly, what is "nonrecurring" is too broad to deal with effectively without specifying a time frame. Should it be "nonrecurring" over one year, two years, or three years? If the internal audit function, or rather the services to be provided, are judged against established principles, and internal audit activities are not specifically defined, it will not be possible to determine what is "...not in substance the outsourcing of the internal audit function." If during the conduct of an audit determined to be an "operational internal audit unrelated to the internal controls, financial systems, or financial statements," what happens if the auditors uncover a weakness or problem that actually affects the internal controls, financial systems, or financial statements? If they report this finding in the operational audit report, does this make the audit an "internal audit that is related to internal controls, financial systems, or financial statements, and therefore a prohibited practice? If the auditors remain silent on the finding, then they have violated internal auditing standards, performed a disservice to the client, failed to meet expectations of stakeholders, and maybe even engaged in or become an accomplice to an illegal activity. If the audit findings do not reveal problems - either control weaknesses or financial problems - but recommend improvements in operating procedures or other efficiency measures, such action can still translate into an effect on the financial systems or financial statements, or maybe even on internal controls. In order to avoid dilemmas that are almost certain to occur, the rules should not provide exceptions for an activity that cannot be defined and that generates results that ultimately translate into an effect on the financial statements. COSO stressed the importance of a concept of internal controls broader than internal accounting controls. Modern internal control models such as the COSO model view financial and operational controls as a part of the same system of controls. Operational auditing is the comprehensive review of the varied functions within an enterprise to appraise the efficiency and economy of operations and the effectiveness with which those functions achieve their objectives. Internal Control - Integrated Framework states:
The COSO definition of internal control clarifies that operational issues are included within the scope of internal controls. The IIA believes that the SEC's question "Would it impair the auditor's independence if the auditor performs only operational audits unrelated to internal controls, financial systems, or financial statements?" is inconsistent with the COSO definition of internal control. We believe that operational auditing should be subject to evaluation for independence conflicts using the same criteria employed to evaluate all other internal auditing services. The safest course of action is for the SEC to draw a "bright line" requirement that prohibits the firm that performs the financial statement audit from conducting any internal audit services. No exceptions, no loopholes, no ambiguous terms, and no materiality considerations for "discrete" items. Audit Committee Administration of the Engagement [Section II, Subsection D] Question 2. Allowing Audit Committee Policy for Approval of Non-audit Services The SEC exposure draft questions if it is appropriate for audit committees to establish specific policies for approval of non-audit services as opposed to detailed reviews, presentations, discussions, and votes in advance of each contracted service. The IIA believes that audit committees should be allowed to adopt operating policies that establish appropriate guidelines for contracting non-audit services. Requiring audit committee votes and approvals for each service or transaction is not reasonable or practical and would place the audit committee in a role similar to operating management. Audit committees should be able to adopt a policy to govern this activity and simply review overall compliance with the policy. To facilitate review of policy compliance a schedule of all services contracted should be reviewed at each audit committee meeting. Question 5. Requiring Communications with Internal and External Auditors The SEC exposure draft questions what policies and procedures should be established to facilitate communications between audit committee members and auditors, and for evaluating the independence of external auditors. A properly developed audit committee charter should establish appropriate requirements to facilitate communications and evaluations of auditor independence. In summary, the audit committee charter should contain the following:
To enhance independence, particularly for internal auditors, The Institute recommends that the following provisions be included in the audit committee charter: The IIA has developed considerable guidance to facilitate interaction between audit committees, internal and external auditors. The following, which can found on The IIA's web site, is a partial listing of some of this guidance:
* * * Concluding Remarks The IIA supports the efforts of the SEC to improve corporate governance. Restoration of confidence must be founded on accepted principles of corporate governance that define the roles of directors, executives, internal auditors, and public accountants. The independence of the public accountant, as addressed in this proposed rule, is critical to making the overall process effective. In conclusion, The IIA's recommendations to the SEC are summarized as follows: 1) In cases where audit clients are contemplating employment of members of the independent auditor's engagement team, we believe that the SEC rules should be amended to include the position of chief internal audit executive among the list of positions specifically proscribed for a one-year period preceding the date of the initiation of an audit. 2) In addition to a one-year cooling off period, the audit committee should be charged with reviewing the potential employment of someone from the accounting firm to determine if any relevant factors might suggest that a longer period is necessary to assure a cooling of the former relationship. 3) We believe that the rule should include a clear definition of internal auditing. The IIA has promulgated the most authoritative and widely recognized definition of internal auditing and supports it through a comprehensive framework of standards (Standards for the Professional Practice of Internal Auditing) and guidance (Practice Advisories). Our recommendation is that the SEC should adopt The IIA's definition of internal auditing and endorse The IIA's Standards for the Professional Practice of Internal Auditing for those providing internal auditing services. 4) In reference to considerations by the SEC to adopt exceptions for limited internal audit services that could be performed by the firm that audits an organization's financial statements, the safest course of action is for the SEC to draw a "bright line" requirement that prohibits the conduct of any internal audit services. No exceptions, no loopholes, no ambiguous terms, and no materiality considerations for "discrete" items. 5) The external auditor's independence is impaired if he or she conducts both the financial statement audit and internal auditing services, regardless of the size of the organization. If an organization is listed on a public exchange and accepts investor's money, then all listed companies should be required to conform to the same independence standards and there should be no exceptions for "small businesses." 6) Since potential problems can surface in any area of an organization and can be found during any type of audit - financial, operational, compliance - situations that challenge independence can arise under any scenario. Major problems and potential conflicts of interest can arise in large and small businesses, financial and operational audits, all throughout an organization or in the smallest, most discrete segment of a business. For these reasons, independence safeguards should apply to all businesses, large and small alike, to every type of audit, and from total outsourcing of the entire internal audit function to performance of the smallest internal audit project. 7) Rather than provide an exception for "...operational internal audits unrelated to the internal accounting controls, financial systems, or financial statements", which would seem impossible to define, we suggest deleting reference to this point. 8) The IIA believes that audit committees should be allowed to adopt operating policies that establish appropriate guidelines for contracting non-audit services. Requiring audit committee votes and approvals for each service or transaction is not reasonable or practical and would place the audit committee in a role similar to operating management. Audit committees should be able to adopt a policy to govern this activity and simply review overall compliance with the policy. 9) Guidelines to facilitate communications and evaluations of auditor independence should be included in a properly developed audit committee charter. The IIA stands ready to participate with the SEC in the establishment of rules to implement the provisions of the Sarbanes-Oxley Act.
Attachment 1
Audit Committee Responsibilities
Internal Audit Activity's Role
Communications with the Audit Committee
Which of the following is true about the auditors Consideration of internal control in a financial statement audit?Which of the following is true about the auditors' consideration of internal control in a financial statement audit? The auditors must assess control risk at a level lower than the maximum.
What best describes the purpose of the auditors Consideration of internal control in a financial statement audit for a nonpublic company?What best describes the purpose of the auditors' consideration of internal control in a financial statement audit for a nonpublic company? (1) To determine the nature, timing, and extent of audit testing.
When considering internal control an auditor should be aware of the concept of reasonable assurance which recognizes that?When considering internal control, an auditor must be aware of the concept of reasonable assurance, which recognizes that the: Cost of internal control should not exceed the benefits expected to be derived therefrom.
What factors does an external auditor consider when assessing the objectivity of a client's internal audit function?11. In assessing competence and objectivity, the auditor usually considers information obtained from previous experience with the internal audit function, from discussions with management personnel, and from a recent external quality review, if performed, of the internal audit function's activities.
|